eest Available Copy 



SECURE DELAY OF HASH OUTPUT 

A secure delay according to various aspects of the present inventions can be 
applied in other areas than just passphrase security. For examplje, a hash value can be 
run through a secure delay to produce a smaller hash Value that would be 
computationally infeasible to derive based on a birthday attack. In one conceived 
embodiment, a 160-bit hash value is repeatedly run through a secure delay for a 
predetermined number of iterations that, given a security selection, corresponds to an 
acceptable unit delay. (An example of an acceptable unit delay i? 1 second.) At the end 
of each unit delay, a sub-hash is computed from the current output of the secure delay 
and displayed. 

A person wishing to compare hash values can begin comparing a first group of 
digits corresponding to the first sub-hash after the first unit delay!, and while the second 
unit delay is underway. When the person looks for the secojnd group of digits to 
compare, the second unit delay (when optimally chosen) is already completed and the 
third unit delay is underway. 

Thus, a securely delayed hash system according to various aspects of the 
inventions can provide a smaller hash value with the same security as the larger hash 
value from which it is derived. The loss in entropy in the smallejr value is offset by the 
computational difficulty (from the secure delay) of obtaining |:he smaller value. An 
attacker wishing to find a larger hash value that produces the sjmaller hash value will 
need to run the secure delay, on average, N2/2 times with the secure delay 
computation for each iteration. 

If T = delay time (on an equivalent processor as that of th^ legitimate user), then 
T2 - T*N2/2. If T = 1 second, and the required T2 - 1,000,009 CPU y ears ' then the 
required N2 ~= 2 A 21, a much smaller value than, say, 2 A 160. j 

Since a hash value is not particularly sensitive, it can be sekt freely over in secure 
networks. It is conceivable that^nternet site can be established jfor quickly computing 
smaller "sub-hashes" based on transmitted hash values thrpugh an open-source, 
standardized secure delay algorithm. However, it is more likeljy that the market will 
demand simplicity and standardization, and an average delay within the reach of the 
average desktop PC. (The remote-computation model may be useful for portable 
computers, though.) 
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VIRTUAL SIGNATURE PRINTER 

According to various aspects of the present inventions, anielectronic record (e.g., 
MS Word document, AUTOCAD drawing, etc.) can be signed by| "printing" that record 
to a special "virtual signature printer." An example of a virtual printer is the "PDF 
Writer" printer driver that is installed with the ADOBE ACROBAT software. The 
inventive "virtual signature printer" provides the user with an iijtuitive, simple way of 

authenticating an electronic record. j 

i 

The "virtual signature printer" system produces an output file (or multiple files, 
see below) that can be sent to a recipient for viewing, printing, and validation. The 
recipient can view or print the file (preferably, the file is "backward compatible" 
compatible with widely available viewing software) and, withj special software, can 
validate the signature on the file. j 

A particularly advantageous way of signing an electronii: record that has been 
"printed" this way is with embedded signatures. However, a "virtual signature printer" 
system can employ any suitable technique for signing an Electronic record. The 
following are some examples of output of such a system: 

• A PS or TIFF file (or, with suitable licensing if necessary, a PDF file) 
representing the document, accompanied by a detached PGP-compatible 
signature file. j 

• A ZIP file containing a PS, TIFF, or PDF file representing the document 
including a ZIP comment containing a Base-64 PGP-coifipatible signature. 

• A PGP-signed file containing the document in a PS, TIF(F, or PDF file. 
When the signer wishes to electronically sign a document he or she can print the 

document to the virtual signature printer driver, using the pript functionality of the 
software used to create the document. The printer driver creates a window in which the 
software requests the signer's authenticating information. The usjer can enter his or her 
passphrase, apply his or her fingerprint to a fingerprint scanner, ijnsert a smart card, etc. 
The software then computes the digital signature for the document, based on the 
authenticating information or a private key unlocked by the authenticating information, 
and embeds the digital signature with an output file or includes the digital signature in 
a separate file. 
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VIA EMAIL 

Thomas E. Workman, Jr., Esq. 
Law Offices of Thomas Workman 
41 Harrison Street 
Taunton, MA 02780 

Re: Cryptography Technology 

Dear Ted: j 

This brief disclosure is an example of a clear-signed docuijnent with a simulated 
digital signature (25x13 bits = 325 bits) that resides as a graphic within a signature block 
that is excluded from the signature calculation of the document. In an actual 
implementation, the user will place the signature block in the document and will then 
"print" the document to the digital signature printer driver. The driver will then create a 
graphic file such as a TIFF (multi-page if necessary), remove the graphics in the region 
where the signature block will go (setting that graphic data to a 1 default blank value), 
compute signature for the entire document except the signature region, and place the 
signature data in the region as graphic-mode text. 

The document's signature can be verified simply by opening it with a customized 
TIFF reader, which will detect the presence of the signature regioh and will validate the 
signature within it against the data of the document except thje graphics within the 
signature block. An option can be provided to put the signature data on an entirely 
separate page of the document (e.g., after the last page), preferably with a facsimile copy 
of the signer's ACL (In such embodiments, the ACI should have! a blank space for the 
signature data of document signed with the ACI's signing key.) j^yvg - q ) 

An exemplary process is illustrated in the attached FIG. \ , in which a signer 
creates a document (e.g., this letter) using whatever software he (or she) wishes to use (e.g., 
Microsoft Word 97). He then prints the document to the SelfCejrtify.com virtual TIFF 
printer (call it a "software signature machine"?). The printer driver koftware creates a TIFF 
file of the document and displays it in a viewer window. The user interface of the viewer 
window requests the following input from the signer: j 

1 . Selection of a graphical region within the displayed docuknent for application of 
the signer's digital signature "stamp." The user can specify the region by moving 
a dashed box around the screen. The dashed box can have left and right arrows 
within it for navigating to different pages of a multi-pjige document, and an 
"Sign Here" or "OK" button for applying the digital signature "stamp" at the 



Thomas E. Workman, Jr., Esq. 
Page 2 

current location of the box. An unsigned signature page <j>f this letter is attached 
showing what such a box might look like as it is mov'ed around during the 
selection process. j 

2. Authentication from the signer to apply his digital signature to the document 
within the digital signature "stamp" at the selected location. As discussed in 
other disclosures, the authentication can be a securely delayed passphrase input. 

signature stamp and 



When the signer has selected the location of the digital 



provided authentication for its creation, the printer driver software removes all graphic 
information from the selected location. It then computes the digital signature based on (1) 
the remaining data of the TIFF file (exclusive of the location of tine stamp) and (2) the 
signer's private key. v ' 

™™ Advantageously, ^ ^^ed document is in a conventional format (e.g., multi-page 
TIFF) that can be read by any conventional viewer is signature! authentication is not 
needed. When signature authentication is needed, a document cafi be viewed using the 
Se fCertify.com TIFF viewer (which may be distributed freely! to encourage use of 
SelfCertify .corn's digital signature services). j 

To verify a digital signature, the viewer searches the graphical rendering of the 
signed document for the distinctive graphical outline of the signage block. Distinctive 
features of the graphical outline can include (1) a distinctive coloij such as maroon (2) a 
distinctive line shape such as double parallel lines, and (3) a distinctive line weight such 
as 32 points (not an integer or x.5 fraction). All of these distinctive! properties are present 
in the simulated signature block for this document. In addition, t(ie signature block can 
have a predetermined size to further identify it. 

Once the viewer software has identified the exact location of the signature block 
it removes all of the graphic data of the signature block (up to and including the border) 
and sets it to the default blank value used during signature calculation. It performs an 
optical character recognition of the signature data within the block to obtain the value of 
the digital signature. According to advantageous aspects of thje invention disclosed 
elsewhere, the digital signature can be applied to a secure delay tq obtain another, larger 
digital signature value. The digital signature value (as shown or as expanded through a 
secure delay) is then validated against the modified TIFF representation of the document 



Very truly yours, 



NOTE: Signature data can be in the 
form of a bar code (1 D or 2D). If 
license to PDF format could be 
obtained, could include signature 
characters as data (not image pixels) 
and search would be very simple 
search for key tag characters in file. 



-SelfCertify.com Digital $ignature- 

1410-2708-9007-5781-6673 
7701-3376-8745-37?9-9100 
7440-2788-7101-4089-2409 
5420-2178-9001-76^0-1477 
7731-3376-2645-3789-9105 
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j 

current location of the box. An unsigned signature page of this letter is attached 
showing what such a box might look like as it is moved around during the 
selection process. 

2. Authentication from the signer to apply his digital signature to the document 
within the digital signature "stamp" at the selected location. As discussed in 
other disclosures, the authentication can be a securely delayed passphrase input. 
When the signer has selected the location of the digital signature stamp and 
provided authentication for its creation, the printer driver software removes all graphic 
information from the selected location. It then computes the digital signature based on (1) 



|the stamp) and (2) the 



the remaining data of the TIFF file (exclusive of the location of 
signer's private key 

t™t* ^ dvanta S eousl y' the signed document is in a conventional format (e.g., multi-page 
V .f^ an be read by any conventi onal viewer is signature authentication is not 
needed. When signature authentication is needed, a document can be viewed using the 
SelfCertify.com TIFF viewer (which may be distributed freeljf to encourage use of 
SelfCertify .corn's digital signature services). j J 

To verify a digital signature, the viewer searches the graphical rendering of the 
signed document for the distinctive graphical outline of the signature block. Distinctive 
features of the graphical outline can include (1) a distinctive colour such as maroon, (2) a 
distinctive line shape such as double parallel lines, and (3) a distinctive line weight such 

as 32 points (not an integer or x.5 fr; r - , \ n -operties are present 

in the simulated signature block for I lis documen^Iriiiddition, ti I signature block can 
have a predetermined size to furthe J dei^j it.l e^. 1 

Once the viewer software hi I identified the exact location \ the signature block, 

it removes all of the graphic data of I 1 deluding the border) 

and sets it to the default blank value used during\signature calculation. It performs an 
optical character recognition of the signature data tothin the block to obtain the value of 
the digital signature. According to advantageous\aspects of the invention disclosed 
elsewhere, the digital signature can be applied to a skure delay ti obtain another, larger 
digital signature value. The digital signature value (L shown or is expanded through a 
secure delay) is then validated against the modified TIFF representation of the document. 

Very tJ|uly yours, j 
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PEERNET.DRV TIFF Driver(worI / e-business automation) 

PEERNET.DRV TIFF Driver * 

Selecting a Driver I Suppatted Platforms I Common Eeatures I Support ! 
I Online S olutions i 
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me 

MUAL 



Ma 



nline 
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At 3.0 



JJSS? hT'PSy I IFF Dr, Y er converts any document capable of being 
Srl ^il™°?!l s a PJ },,( ?« ti(>r l int0 h '9 h c ' ualit y serialized or mult? 
ffiVh^OT^ii ' S id , ea ' for , imaging or archiving applications. It's 
also a handy file-generation, tool for cross-platform article distribution. 

2^^S rs - on '?u as fa ?.? s P rintin 9- Document scanning is obsolete. 
Paper waste is a thing of the past. 

Features of PEERNET.DRV TIFF Driver ~~ 
Append Mode (Version 4 only) 

^ V e^!^U! dually by appendin9 pa9es to an existing fl,e 

Color Correction 

\&JtSH jS&EJ?* 'page's appearance to compensate for monitor non- 
linearity on Windows NT 4.0 and Windows 2000l 

Color Modes 

Color or "Black and White only". 
Color Reduction 

SiTrSwJ.?" 6 CO i 0r reducti0 . n on °r off, to suit your needs. Automatic 

redl ^ es your , mage t0 its fewest number of colors 
without affecting picture quality. In addition, automatic color reduction 
selects the optimal output format for serialized files or the optTmal 
output page format for multi-page files. «M"">o« — 

Compression 

Turn Compression on or off as needed. 
Output Formats 

TJ« I, rue C _ lor Un , cor "pressed or Compressed Packbits 

^P"° c, ] rom 1 e Uncompressed or Compressed CCITT Group 4 
tiff 256 Color Uncompressed or Compressed Packbits 

Paper Size 

miSi U c° m documents up to 18.03 x 18.03 inches, or 458 x 458 
millimeters. Supports most paper sizes. 

Resolutions 

100, 200, and 300 DPI resolutions. 
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DOWNLOADS 
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EZ-Printer for Windows NT 

Print to image file from any application 
ZDNet Rating **** User Rating NR 
BeOneof t he First to Rate This^m^ 



Company: Suntop 

Version: 

Size: 774.95 KB 

Downloads: 485 



Power Search K ^ ^ 
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* View file co ntents 

Requirements: Windows NT 4.0 

Purchase Information: Demo: $49-$59 for retail version. 

EZ-Printer for Windows NT makes it possible to print from 
any application to an image file. It installs itself as a native 
device in the printer control panel. Users can simply 
choose Print and select the EZ-Printer printer from the list 
^of available printers. Output Is In black and white (the 
author has a color version, too) and is automatically saved 
in the file format of choice (DIB BMP, GIF, TIFF, or PNG ). 
The images are automatically sequentially numbered. The 
included viewer will let users see the results immediately. 
This demo version of the driver includes a banner in the 
middle of the image. Virtually no documentation is 
included, so users will need to visit the authors 1 Website to 
get information or support. Output also seems to be limited 
in resolution, with no apparent way to control the dpi. Still 
EZ-Printer could be particularly useful for Websites, writing 
documentation, presentations, and many other 
applications. 

Reviewed on Oct 23 1999. 
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FREE8 

Optimize Windows 
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Protect Your PC 

Download Sygate 
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It's FREE! 



cf (I* 



Download Now 
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Services: 

m> 

Upload a, pile. 
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SmartPlanet 
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PRINT TO SIGNED TIFF FILE Atfe<£M>V* /Or 

According to various aspects of the present inventions, a document can be signed 
by printing the document to a TIFF file using a virtual printer driver, e.g. provided by a 
service such as "SelfCertify.com." (Note that SelfCertify.com is not an operating 
business entity, though the applicant has registered the domain name, and has not 
offered any product or service for sale as of the filing date of the present provisional 
application.) The TIFF file is created as it normally would be except that includes a 
signature block within a suitable field. 

In one embodiment, the signature block is included within the TIFF 
"ImageDescription" field, the ASCII contents of which are excluded from the signature 
calculation of the file. (See AF-3.) In an actual implementation; the user "prints" the 
document to the digital signature printer driver. The driver will creates the TIFF (multi- 
page if necessary), with blank characters in the fixed-length "IrpageDescription" field 
where the signature data is intended to reside (setting that data td> a default blank ASCII 
value), compute signature for the entire document with the default blank value in the 
"ImageDescription" field, and place the signature data in the "ImageDescription" field 
as ASCII. 

The document's signature can be verified simply by opening it with a 
customized TIFF reader, which extracts the signature data from the "ImageDescription" 
field and validate it against the data of the document with! default blank values 
substituted in the "ImageDescription" field. 

An exemplary process is illustrated in the attached FIG. (AF-4), in which a signer 
creates a document using whatever software he (or she) wishes! to use (e.g., Microsoft 
Word 97). He or she then prints the document to the SelfCehify.com virtual TIFF 
printer. The printer driver software creates a TIFF file of the document and displays it 
in a viewer window. The user interface of the viewer window requests authentication 
from the signer to apply his digital signature to the document. The authentication can 
be a securely delayed passphrase input according to various aspects of the present 
inventions. 

Advantageously, the signed document is in a conventional format (e.g., multi- 
page TIFF) that can be read by any conventional viewer is signature authentication is 
not needed. When signature authentication is needed, a document can be viewed using 
the SelfCertify.com TIFF viewer (which may be distributed freely to encourage use of 
SelfCertify.com's digital signature services). 

The signer's public key can be included in the signature data along with the 
digital signature and the name of the signer. A facsimile copy ofj the key ACI (see, e.g., 
Appendix A) can be appended to the end of the TIFF file aftef the document pages. 



Having both of these items present in the TIFF file permits a verifier to quickly 
authenticate the signed document. If he or she is satisfied with tile integrity of the TIFF 
reader/ verification software he or she has obtained (e.g., from! a secure, trusted web 
page of SelfCertify.com), and if he or she is satisfied that the facsimile copy of the ACI 
with its security background digits is not a forgery, he will have everything he needs to 
validate the signature of a person who has not made any p^rior digitial assigning 
arrangements with him. j 

Signing and verification software according to various Aspects of the present 
inventions can be integrated with the GPG ("GNU Privacy Guard") software, which can 
be freely distributed and modified under the GNU Public License. The signing and 
verification software can call the GPG software with parameter passing. The inventor of 
signing and verification software can thus include, generally, a slightly modified TIFF 
printer driver and TIFF reader that calls the GPG software for all digital signature 
functionality. All three pieces of software can be released in a single compact package. 

The TIFF reader software can provide the option to output the original TIFF file 
(without signature data in the "ImageDescription" field) along with a PGP-compatible 
detached signature to the file and an ASCII file with the signer's public key. This 
permits less trusting users to verify integrity of the signature and signing key 
(comparing PGP's SHA-1 "fingerprint" to what's shown on the ACI) with their own 
copy of PGP or GPG. 
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Sample "ImageDescription" Tiff Field 



Tag = 270 | 
Type = ASCII j 

Count = Fixed number of characters in signature blcick, plus 1 for NUL at 
end. j 

Value = 1728 

SELFCERTIFY.COM SIGNATURE DATA - - J 
Signed by: Edwin A. Suominen J 

mQGiBDk8ZlMRBADZZObehMneOqwL7mu7fa/KfbPx2wLtMSihh3Ia.tOo6o6e/twYQ J 
3Z27YlIlu9uvhIkdsBrQ7b+N0paKyJAu691eE5gzP8VEdzfLJtC0DXvdO9+H57Er J 
PGicVujuGGIPxvzA7QuyxNxDzndKtFIGO60zn452pWrg/77iA+Ne0CYCuQCg/9I3 J 
6bNa0vfxxUV3CS+/PDo9V P ED/jwquHOyJQY0i0jZNdaT9ZN8mzR0lPgfyGHuNBpp J 
yoPRhck0nMelBxNG83M2v243M0DUmabCPuGqqOtYKe5YLqAw/iM5IWwp3EctEHGU J 
4 8r8gC7rYKRHOLosyBfx6/uQkpGiNeM4TAI9QpqVzsbHvFlH5LSauLbHOSAwTUoM J 
e/+uBACTQjV15XA+MPwaIxlvZ3lD2iEX/XFLOedxA5XzcN9uVlet+Chxd7xJn66x J 
w0xzdVLvb/kCdcNY8idJkJVqAUx249S+PymCQFR+sX0pxXCVky4|jgtLDToX0wWlG J 
6C0kPzURlAH9jdAUaPc+7SClTdixmOPsLRll + 5PzUUVhNj 6b8bQ§RUFTIEplbmUg J 
M j AwMCA8 ZWRAZWVwYXRlbnRzLmNvbT6 JAFQEEBECABQFA j kSZlM^CQAiRwAECwMC J 
AQIZAQAKCRCRZ8BksUXUY2Y3AKCG99iXRgxGmOssyOC0Lwm/U0yECACfW6R9rI2f J 
G+UeNOWE/b2TJDt4 9La5Ag0EOTxmUxAIAPZCV7cIfwgXcqK61qlb8wXo+VMROU+2 J 
8W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZS J 
Tz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXsc^qtNbno2gpXI6 J 
lBrwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOAlFHQ98iLMcfFstjvbzySPAQ/Cl J 
WxiN j r tVj LhdONMO /XwXVOO j HRhs3 j MhLLUq/ z zhsS lAGBGNf I Sp.CnLWhsQDGcgH J 

KXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/0V8 J 
DY5p j 5 lRDGsakRhMebL90b 7v9GsbZN6 P f Tg02upuCi 6 WUya zabwk J4 ZFc 7vtpo 8x J 

FQOkCofOLtnisNim7r0PyWrW0SgHLbcXwMMUUblh/QbggH0WtkkjjrzxgNGL+MLJZa J 
ND4R0gle03PQep4SZgA6/x9OUGWStmzWEt3jk/VdnImS5gDJmNHinCX7+ZaCxROiL J 
z03oDmzIRpVYk3+tnekDVhhrDwX5lQlzUoCg43hAmAlQl/KNFBw^qiolOEvLyJby J 
hUzhGqdzd/MJkNHXviOoJyuOnQH+08lEME5S2Ejl9epf4Rfuf 9rh8uR7tl3YEraD J 
wqw04 VI cd5n+ 6 F3 1 9 9G JAEwEGBECAAwFA j k8ZlMFCQAiRwAACgkbkWf AZLFF1GMG J 
KwCZARTQgJDOM4 OGBpOOJwPlescVP/gAoPI Jb/grnbNpbeQmG9UobWiT8PKll J 
=zFrB J 

-I 

Signature: J 

iQA/ AwUAOhs 1 j KmKuMvNCWDGEQ J4 TACe JpwTCOzNvxKhZVYagl 7 iBEuhKEMAn j tT J 
SivKAZgC21P/pMrro2HgTf Jo J ; 
=Adug<NUL>" j 
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IMPROVEMENT TO PGP 

By Edwin A. suominen 



Allowing keys of keyring to exist at different locations 



Lr^I ill k t f ol 1 ow the advice of some encryption experts to keep my private key 
(or at least a signing key) on removable media (e.g., a floppy disk) for added 
security. However, the only way to do this now is to have my enti re PGP key ri no on 
that floppy disk, if the key I'm truly worried about is to be! secure? I Xn't want 
to keep that floppy disk where it is easily accessible, instead? I will want to keeo 

keying^ IffioSj XJE"" 1 **" 1 ^ ° n the hard disk and ^4 ^WwiSST 

w°r ding S° this proposed improvement, PGPkeys allows users to specify the file 
"iSJJS^^nSIlS?^? °2 u 61 " ke / rin 9- Everything works normally except when an 
J«Sir ect P nvate ke y is to be used, e.g., to apply an especially important pgp 
signature to a contract, when that happens, the PGP software looks for the file 
containing the indirect key. If the file is located on removable media that is not 
in the drive, the software prompts the user to insert the removable media containina 
the indirect key. if the file is located on a pgp disk or somfe other type $ ntainin 9 

^57Sv??e V ?n^ser h ?o S m:uS r ?t?° Uld Simply indiCate that «*\^™ ^present 

i™nL U nL2l th( \/S£ ^ is com P le te, the software can advise! the user that it is no 
bad? in i?s selure lotion" Unm ° Unt the V ° 1ume ° r pU * the ^movable media 
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ed@eepatents.com, No Subject 



To: 

From: Ed Suominen <ed@eepatents.com> 

Subject: 

Cc: 

Bcc: ed@eepatents.com 
Attached: 



LAW OFFICES OF LOUIS J. HOFFMAN, P.C 

14614 North Kierland Boulevard, Suite 300 * Scottsdale, Arizona 85254 
Telephone: (480) 948-3295 * Facsimile: (480) 948-3387 

Edwin A. Suominen * Admitted to practice in patent matters before the U.S. Patent Office 
only 

Web Site: http://eepatents.com * PGP Public Key: http://eepatents.com/kev 



BEGIN PGP SIGNED MESSAGE 

Hash: SHA1 I 

This is an example of a message that has been signed with preserved 
formatting and an unobtrusive digital signature around clear-signed 
text, according to various aspects of the present inventions. 

BEGIN PGP SIGNATURE 

Version: PGP Personal Privacy 6.5.8 

iQA/AwUBOq03eqmKuMvNCWDGEQLwpwCeP j ly0iuPEKIeRsSyqTCA7S++MpIAnRPv • 

qtttmsePjh/WqGafymg/hVMs 

=q40y 

END PGP SIGNATURE \ 
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Printed for Ed Suominen <ed@eepatents.com> j 

AVI-I 
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CRYPTOGRAPHIC DOCUMENT DESTRUCTION 

BACKGROUND AND SUMMARY 

In private confidential conversation, two people can have a conversation without 
leaving any record of their conversation. With written or electronic communications, 
however, there is some record of what was said. That record can be difficult to 
eliminate. 

Paper communications such as letters can be shredded if both sender and 
recipient agree that they will destroy their copies. Electronic communications (e-mail) 
are more difficult to eliminate because backup copies can be made and automatically 
archived onto other locations. It is sometimes surprising that backup copies are 
available during discovery of communications that would be embarrassing. 
Accordingly, there is a need for a system of destroying electronic communications or 
records when the sender and recipient of the communications agree to do so. 

A system according to various aspects of the invention includes: an encryption 
subsystem; and a decryption subsystem, the decryption subsystem using a temporary 
key that can be disposed of to make encrypted communications ujnreadable. 

DETAILED DESCRIPTION j 

An encryption key allows an authorized person to decrypt encrypted 
communications. For example, an encryption key can be a passphrase, or use a 
passphrase, known only to a person authorized to decrypt communications. According 
to various aspects of the present inventions, the decryption kef can be destroyed. A 
passphrase for such a decryption key is preferably forgettable, for example a random 
alphanumeric string of sufficient length to be secure, j Advantageously, the 
alphanumeric string can be used as a passphrase to open communications or records 
when is desired to do so and then destroyed and forgotten aboikt when it is no longer 
desired for such communications or records to ever be decrypted' again. 

Operation of one embodiment includes (1) writing an electronic mail message to 
a person; (2) encrypting the communications using an agijeed-upon passphrase, 
preferably an alphanumeric random digit string, for example 12 digits in length; (3) 
sending the encrypted message to the recipient; (4) having the recipient type in the 
passphrase to open the encrypted communications; and then anfer a predetermined or 
agreed-upon period of time, (5) having both parties destroy thd passphrase (throwing 
away a Post-It note upon which the passphrase is written) so that neither the sender nor 
the recipient can ever decrypt the communication again. Preferably, the passphrase is 
used only for a short length of time or limited number of times ko that it is impossible 
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for either party to remember it. The more random and arbitrary cryptic the passphrase 
is, the more difficult it will be to ever remember. 

Systems according to various aspects of the invention cart be useful in the legal 
profession where sometimes legal professionals are called upon to testify about matters 
that were assumed to be privileged but the court determines: that they are not for 
whatever reason, as happens in patent practice sometimes. If ar^ attorney or agent has 
communicated with his client using this system, and the clientj agrees to destroy the 
passphrase after the matter is complete, and the device communicated by the attorney 
or agent is no longer relevant or needed and has been acted upon completely, then it is 
impossible for any court or any party to discover what to parties discussed. 

Even if a backup copy of an electronic mail message is found, a court can 
authorize a cryptananalysis of the message, but if it is encrypjted using PGP strong 
encryption, it would be very difficult, effectively impossible, fori the opposing party to 
figure out what the message said. : 

Embodiments can be employed in other types of communications that are 
encoded in digital form so that they can be encrypted. Even handwritten notes can be 
scanned into digital form and encrypted. 

Voice messages can be digitized and compressed, entire paper files can be 
archived by scanning and digitizing, and then encrypting injto a single encrypted 
archive file with a temporary key that can be disposed of after a predetermined time, 
which can be set by policy, for example one year. j 

According to another aspect of the invention, the keys need not be remembered 
or typed in by a human operator at all. According to this aspect, the key is an actual 
hardware device that transmits decrypting authorization indicia for a predetermined or 
agreed-upon period of time and then is incapable of doing so aftier that. An example of 
such a key is placed between a conventional PC keyboard and a PC. The device 
includes circuitry for reading a decryption key code or indicia fr dm another device such 
as a card having barcodes printed on it or a disposable integrated circuit, which can be 
made in the form of a key. 

The device can be sold with a number of keys that can be! used and disposed of 
by the user. For example, if the device is sold with twelve keys with refills of 12 
additional keys available by ordering, the user can encrypted jarchive records every 
month with a different key and cost a new (different) key away bvery month. The user 
may wish to keep the records on file for a period of several mobths in which case the 
user will begin using a key one month and then put the key into ^storage for a couple of 
months and then toss the key away, destroying it irretrievably affer that period of time. 
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An embodiment using printed cards is less expensive j and the keys can be 
disposed of more cheaply but it is more prone to unauthorized or inadvertent 
duplication, in which case the whole purpose of the system might be defeated. The user 
of such a system needs to take precautions that the keys are neveif duplicated. 

A database of which files correspond to which temporary keys can be created 
according to aspects of the invention so that an administrator can look over the list of 
keys about to expire and ask the persons involved with the effective files whether or not 
they need information from the files before they are destroyed. P^per documents can be 
shredded at the same time the keys are destroyed. If the key for! a paper file that has a 
corresponding electronic file is a card, the card can be kept with ihe paper file and both 
can be destroyed simultaneously. 

The key can be distributed from a sender of information to a recipient who is 
only authorized to access the information for a temporary period of time, for example 
one or two days. The sender of the information, or provider, cari demand the key back 
after that period of time. In such a system, the key needs to be difficult to duplicate, for 
example an integrated circuit in the shape of a key. A forgettable password would not 
work for such a system because the user could write it down without telling the sender, 
but the forgettable password system works well when both parties, or all parties 
involved, are in cooperation and consent to destroy the information and the forgettable 
password. 

### 
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CLOCK JITTER RANDOM BIT GENERATOR 

This invention uses existing hardware in a standard desktop PC with 
«°^h~ ery -r C ? mp ?£ t software to efficiently generate truly random 
numbers. Tell that introductory sentence to any cryptographer! and 
they will either (1) beg you tell them how, or (2) dismiss you as an 
ignorant crackpot and lead you to various references talkinq about 
?o,m£nn 9 h. h KM dl - k £ ead . latencies digitizing thermal noise, 
counting bubbles in fish tanks or lava lamps for generatinq true 

n!n2«i.«!l mbe k S i^ ( S e - t1 i!l!! "ichiPf have a hardware random number 
generator embedded in them, but I'm not sure that the AMD chips do. 
in any event, this invention provides random numbers from hardware 
that exists in all PCs today, and the need is still out therei for a 
simple software solution.) I think if they were to read the fbllowina 
thinTo? that?* scratch their head and say "Now why didpt I 9 

A method of generating a random binary bit according to various 
^P?«s of tfiis invention includes: (a) clocking a CPU using a 
phase- locked loop; (b) beginning a count of CPU clock cycles uoon a 
first transition of an independent clock signal (e g. , the pc"s 
= e li"7c2 e u5 0ck ' * h ^ h 9 enerat es interrupts on IRQ08 under cohtrol of 
a 32.768 kHz crystal); (c) recording the number of CPU clock cycles 
counted upon a second transition of the independent clock si ghal; and 
Jandom binary 9 bit e * sianificant bit of * he cou "t to servS as a 

Modern microprocessors use high-frequency clocks that are qenerated 
using a phase-locked loop (pll). The PLL multiplies 1 lower^fKouency 

affSl Shll 1 !^.,* 1 ** i Si9nal , t0 9 enerate microprocessor cl6cS" as y 
well as other clock signals used in the system. The Intel "CK98 Clock 

puT5o1e"' Zer/Dn a " GXamp1e ° f 3 Ch ' p containing a pll for this 

PLL's lock the output frequency of a relatively unstable 
voltage-controlled oscillator to the more stable reference freauencv 
?Ln JEffi ^dilator. The locking is performed using a fee§Sack V 
loop that has particular characteristics. Because phase locking 

lit m, 0U 5P U ^" This phase noise or jitter causes the frequency of 
the PLL output signal to randomly vary within a Gaussian < 
distribution. CPU clock generators are not designed to have very low 
phase noise because the exact clock frequency of the CPU is not 
particularly important. (That is in contrast to the type of pLl 
design I m familiar with, for cellphone receivers, where the phase 
2°, S «/?u ds ™2 0 dr ? p of t with " in ? f ew hundred Hz of the carrier.) The 
i™ -S e C ^ 98 J cl ?] 1 p ,i.. for sample, specifies that the "ideal fclosed 
Jh2^iU^f^ ndw J dth £ e attenuated 20 DB at 500 kHz, and a graph in 
the chip s data sheet shows the jitter (phase noise) spectrum' 



extending out to 50 kHz without significant attenuation. 

with these levels of jitter, the number of CPU clock cycles in anv 
given time interval can be expected to have significant variahce The 
high frequency components of the phase noise w?ll integrate over' lJnS 

SFJwt ^ nd i Cancel each 0tne , r °" t t0 some extent, but ?he number S? 
ffiffll-Zi V cles ov 5 r °2 e Predetermined time interval will bei 
^Ir e r e ^^ in a !; andom . fashion) from the number of cpu clock cycles 
over another predetermined time interval of the same length/ ; 

as a time interval gets longer, the number of clock cycles over thp 
interval increases and the possibility of an integer Si fflrenle 
between the number of clock cycles in two separati intervals of the 
same length increases proportionately. However, longer intervals 
elcTother^ut^ 6 "^ variations in instantaneous fJeq'ueScy™ cancel 

Tje probabilitv of any given frequency measured over a given time 
lr™ r X£l I s def l ned a I a Gaussian function of the frequency offset 
n£?cJ h $,i 0rrect PLL fre quency. Thus the probability of any given 
?rhrclr??^ en ^ me ?sured over a larger time interval can be exacted 
to be smaller than the probability of that frequency over the shorrpr 
time interval by a scaling factor inversely proportional to the 

<>f the ratio between intervals, so the probability S of 
o2 Slf S ^/ r !:2 uency - fde ^ measured over an interval t is a function 
^fh-i P ^- 0f I set)/SQ ? TCT/c:> - If the interval is quadrupled, the 
?S?e?5a i? ?/? m r a p U n 1 r^^ ? 1 ^ en 2 ffset ^equency over that logger 
shorter in?erval P roBa biTity of measuring that frequency over the 

However, the number of clock cycles employed in the freauencv' 
mp a ^rfnL' nCreaS S S ! ine arl/with thS length of thel KS5ai . The 
sinall t «r n?" 6 "^ deviat 1 0n Cover the interval) represented by a 
?h2 9 Inmhf? o£ ? fferenc ? in clo< * c y c1es is inversely proportional to 
the number of clock cycles, so, longer time intervals permit more 
accurate measurement of a given frequency deviation if an interval 
lLf|V ad : up ed « the P^babiTity of a given of fill freqJenc"? diffeSce 
shorier Jn^rval 1 : 58 dlfference is four tim " the probability It the 

tne ab ° ve . tw ? paragraphs, it is clear that any amoiint of 
random frequency deviation can be measured so long as the interval is 
made long enough. The probability of measuring a given offset'will 
decrease, but the ability of the measurement to detect that offset 
will ncrease faster than the decrease in probability of offset in 

Ihe^pSpSp^^ 6 '" Crude an a]ysis, an additional facioT lay be 
the presence of l9w-f requency deviations in the Gaussian '■ 
Hi H bution. it is possible that the integration of the area I under 
the Gaussian curve from zero offset to 1/fdev will increase to the 
point where a value of fdev=l/T will become likely. \ 

™*iS istenc ?-i°f a PLL to c °ntrol the CPU clock and a separate 
crystal oscillator to control a real-time clock in every PC Cand 

£Iv a 5 Ln a ^^°! h) i 0Ut there makes this method an extremely useful 
way to generate truly random bits. ! 

FAQ 

?i;o!S a ^ abou ^ 0 £ her Pseudorandom variations caused by other ! 
IF nn^r^iot 1 ^ ma ^ slow do ^ n the count in a predictable fashion? 
Al. uncorrected variances add, so the presence of any truly Random 
component in a binary number will result in a random LSB has long as 
the truly random component is at least one lsb in size. j 
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Q2: how large would the count of CPU clock rvrlP* Hp with o D *«+^.~ 
Illl-ITXJ 00 MBZ and 3 ?5t2?JS rlte^roS t P h2 t,Um 

A2: 15,258.8 

sSrtffi sir cycles - so what sort ° f ^ssiS^lSd you 

Q4: so what is the minimum frequency deviation fin Hertz** von'™.™ 
?Ia?-t r ?me V clo?k" 3 °' 5 microsec ° nd InterruS'lRtiJCal^Sl ft^™ 
A4: 98 kHz. 

Q5: what if the frequency offset is unlike! v to be thar bm» l nu0 r 
any given interval, say only a 10% probability large^over 
A5: Accumulate 100 potentially random bits over 100 real-timo 
intervals. The chance of every single one of those interval? *nlr$ 
P/^.^g random bit is 0.?0A100 9 = 0 0027%. since 2 lets? oSe of 



1 the bits 



^ ^"certainly be randomT simplyxOR al 
S??S ? K o« d r^u 11 have 3 random .bit. Note that the specifications 

&?Jo??? stlr^Cln^e^t%-on^ S ?r9? 0 k r H%^' kely tB " 10 

^JzP ss^APji six 

mil M seconds per random bit produced. : 51 x 
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- Cn - 14 Efficient Implementation 

14.51 Note (computational efficiency of reduction modulo b l - c) ] 

(i) Suppose that x has 2t base b digits. If I < t/2, then Algorithm 14.47 executes step 2 
at most s = 3 times, requiring 2 multiplications by c. In general, if I is approxi- 
mately^ - 2)t/{s - 1), then Algorithm 14.47 executes step 2|about s times. Thus 
Algorithm 14.47. requires about si single-precision multiplications 
(n) If c has few non-zero digits, then multiplication by c will be relatively inexpensive 
If c is large but has few non-zero digits, the number of iteration^ of Algorithm 14 47 
will be greater, but each iteration requires a very simple multiplication. 

14.52 Note (modifications) Algorithm 14.47 can be modified if m = 6< j c for some positive 
integer c < V: m step 2.2, replace ri-r + n with r<-r + (- 1)V<. I 

14.53 Remark (using moduli of a special form) Selecting RSA moduli of the form 6< ± c for 
small values of c limits the choices of primes p and q. Care must also be exercised when 
selecting moduli of a special form, so that factoring is not made substantially easier- this is 
because numbers of this form are more susceptible to factoring by thej special number field 
sieve (see §3 2.7). A similar statement can be made regarding the selection of primes of a 
special form for cryptographic schemes based on the discrete logarithm problem 



14.4 Greatest common divisor algorithms 

Many situations in cryptography require the computation of the greatest common divisor 
(gcd) of two positive integers (see Definition 2.86). Algorithm 2. 1 04 describes the classical 
Euclidean algorithm for this computation. For multiple-precision integers, Algorithm 2 1 04 
requires a multiple-precision division at step 1 . 1 which is a relatively expensive operation 
This section describes three methods for computing the gcd which ark more efficient than 
the classical approach using multiple-precision numbers. The first i s non-Euclidean and 
is referred to as the binary gcd algorithm (§14.4.1). Although it requires more steps than 
the classical algorithm, the binary gcd algorithm eliminates the computationally expen- 
sive division and replaces it with elementary shifts and additions. Lehmer's gcd algorithm 
(§14.4.2) is a variant of the classical algorithm more suited to multiple-precision computa- 
tions. A binary version of the extended Euclidean algorithm is given in §14.4.3. 



14.4.1 Binary gcd algorithm 



14.54 Algorithm Binary gcd algorithm 



INPUT: two positive integers x and y with x > y I 
OUTPUT: gcd(x,y). 

1- £*<-l. i 

2. While both x and y are even do the following: x<-x/2, v*-v/2 a<r-2a 

3. While x t^O do the following: \ ' 9 ' 

3.1 While a; is even do: xf-i/2. 

3.2 While y is even do: y*-y/2. 

3.3 t<r-\x - s/|/2. " ' i 

3.4 If x > y then x<-«; otherwise, y*-t. 

4. Return(p • y). 
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14.3.4 Reduction methods for moduli of special form 

When the modulus has a special (customized) form, reduction techniques can be employed 
to allow more efficient computation. Suppose that the modulus m is a i-digit base 6 positive 
integer of the form m = 6' - c , where c is an I-digit base b positive integer (for some 
l<t). Algorithm 14.47 computes x mod m for any positive integer * by using only shifts 
additions, and single-precision multiplications of base b numbers. 



14.47 Algorithm Reduction modulo m = 6' - c 



INPUT: a base 6, positive integer x, and a modulus m = 6' - c> where c is an i-digit base 
o integer for some I <t. 6 
OUTPUT: r = x mod m. 

2. While qi > 0 do the following: 1 

2.2 + 1, r *-r + ri. j 

3. While r > m do: r<-r - m. | 

4. Return(r). 



14 ' 48 SSSTi ~, C) Let 6 = 4> m - 935 = ^ 32213 ^ ^ 1 = 31085 = 

SSJ?o ^ f '"'I 7 " = ~ (U21)4 ' ^ C = (1121 ^' Her « * = 5 and Z = 4. 
Table 14.9 displays the quotients and remainders produced by Algorithm 14 47 At the be- 
ginning of step 3, r = (102031) 4 . Since r > m, step 3 computes r Jm = (3212) 4 □ 



i 


qi-ic 


9i 




r 


0 
1 

2 


(221232)4 
(2302) 4 


(132) 4 

(2)4 
(0)4 


(11231) 4 
(21232) 4 
(2302) 4 


(11231)4 | 
(33123)4 i 

(102031)4 ; 



Table 14.9: Reduction modulo m = 6' - c (W Example M. 



48). 



14.49 Fact (Immtnatkm) For some integer s > 0, q a = 0; hence, Algorithm 14.47 terminates. 

»• ftc = toV+n+ui > 0. Sincec < b*, Qi = fo^/i+^/c) > 
Since the Qi s are non-negative integers which strictly decrease as i increases, there is some 
integer s > 0 such that q s =0. j 

14.50 Fact (correctness) Algorithm 14.47 terminates with the correct residue modulo m. 

Justification. Suppose that s is the smallest index i for which $ = o!(i.e q s . 0) Now 

x - »^ + ro and 9i c = ^ft* + r<+1 , 0 < i < s - 1. Adding these equations gives 

* + (£i=o «) c - (Ei=o 9iJ 6* + Eto r 4 . Since 6* = c (mof m), it follows that 

x = Ei=o r t (mod m). Hence, repeated subtraction of m from r i V 4 „ r < eives the 
correct residue. : ^*=° ' 6 U1C 
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